What is Smishing and How to Defend Against It
Table of Contents
- By David Lukic
- Published: Feb 23, 2022
- Last Updated: Mar 18, 2022
People depend on text messages for much more than sending emojis during boring meetings. People send 13 trillion texts worldwide every day, averaging 13 for each person. But there are hazards to so much texting, particularly the potential for smishing.
It’s become far easier to steal someone’s phone number. Many people post their contact information to social media profiles, immensely lowering the entry barrier for smishing attacks. This danger is augmented even more by the millions of websites that collect phone numbers for their marketing lists.
What Is the Smishing Definition?
Smishing is sending fraudulent text messages that appear to be from a trusted source, such as a bank or school, asking for personal information or a PIN number to steal information or funds. Smishing’s email-based twin is phishing.
Phishing has been a successful method of scamming people through email, so it’s natural to try it through mobile phones. However, because cell phone use can be unconscious and automatic, younger people are more likely to be victims of smishing attacks. In addition, companies are using SMS and text messages to reach customers at a high rate, so this volume contributes to the difficulty of discerning real from fake messages.
Email phishing attacks require email addresses, but smishing can be done by computers sending a high volume of messages to randomly generated combinations of 10-digit numbers that are likely to be phone numbers.
This process is worthwhile for scammers as studies show that unknown emails are only opened about 10 percent of the time, but people open 98 percent of unknown text messages. That means that even getting one or two percent of those people to act on a smishing message could be very lucrative to attackers if they’re able to steal money or personal information as a result. Smishing is so lucrative for scammers that the volume of these messages is growing exponentially.
How Does Smishing Work?
When your phone is always in your hand, you’re more likely to trust the information that comes through it. Unfortunately, we don’t always take time to think about which app is sending an alert or whether we recognize the phone number that the newest message is from. That’s what smishing scammers count on: their victims are those who make quick, emotion-based decisions to act on a message before verifying its source.
Some sophisticated attacks may direct you to your bank website and then launch an overlay screen that captures your PIN number when you enter it.
The characteristics of a smishing attack are:
- The sender pretends to be someone of authority or representing an important institution like your bank, credit card company, school, or representative of your employer.
- The message requires you to act quickly – the scammer hopes you’ll respond without thinking.
- There’s an emotional aspect to the fake text, whether it’s fear, greed, or anger.
- If you look closely, there’s usually something a little “off” about the message, whether it’s a misspelling, an error in your name, or no personal greeting at all (a sign of a broadcast message sent to many people at once).
- There’s usually some interaction required, whether clicking on a link or typing in a PIN.
What is “Spear Smishing?”
Rather than sending a general message to thousands of phones, spear smishing is a targeted attack on an individual. The term is an amalgamation of the words “Phishing” and “SMS.”
Ordinary smishing attacks try to profit off the lowest common denominator. Scammers send out a low-effort, poorly worded message hoping to trick the inattentive, the old, or the technologically ignorant. They’ll also impersonate an influential figure like a bank or doctor to add further pressure.
With spear smishing, scammers perform more in-depth research on their targets and craft custom text messages. The goal is to leverage private information that grants credibility to the false persona the scammer is using and lower their target’s guard.
Scammers can get this private information from anywhere. Social media posts are a great window into the finer details of someone’s life, but dedicated attackers may even rummage through their target’s trash for clues. Information on debt, illnesses, or current life events is especially useful.
For example, scammers may contact you while impersonating the doctor you visited a few days ago. Perhaps they claim to be calling you from home, so you don’t recognize their phone number. The scammer will include a link to “paperwork” that you must fill out, but it’s actually a link that automatically downloads malware.
Avoiding spear smishing is pretty simple. Since the attacker claims to be someone you know, or are at least acquainted with, call the actual individual’s number first. Confirm the information through voice or in person before clicking on any links.
Types of Smishing Strategies
The US went through a significant upheaval in the past few years. Many people relocated, got sick, or are facing new debt. Smishing artists know this and are focusing their messages on attacking people’s stress over health and finances.
Common tactics of smishing attacks are:
Compromised Bank or Credit Card
The most common trick is claiming that your bank account or credit card has been hacked and you need to “verify your PIN” immediately. Banks and creditors may sometimes contact you with an update or warning, but these messages never contain a link to their website.
Legitimate messages include getting a frustratingly unhelpful message along with a recommendation to check your account status. They’ll urge you to “visit their site,” but will never directly redirect you. Always go to the creditor’s site manually rather than following a provided link.
Free Gifts or Services
Good deals take time to come by. When we see a sale on something we really need, it’s hard to fight the urge to buy it immediately. Some smishing scams exploit this temptation and send fake SMS deals to “claim this deal NOW!”
It’s even more terrifying if the free gift specifies a product related to your hobbies or shopping history. This detail makes the deal seem more legitimate and harder to resist.
Order from “The Boss”
Requests from the boss are hard to refuse. Smishing scammers use an employee’s eager-to-please attitude to trick them into giving away private information. This can be login credentials to the company server or the contact information of other employees.
Don’t jump at an unsolicited text from your CEO or upper management. Even if they’re demanding “URGENT ASSISTANCE,” you should take a second to verify the text. After all, it’s better to wait a few minutes than compromise the entire business.
Scammers sometimes prowl LinkedIn profiles to single out employees who’ve just started a job. These workers are less likely to know the company’s safety protocols and more likely to make a hasty mistake.
The Lost Delivery Notification
The amount of business going through online channels is growing each year. More and more packages are arriving at our doorsteps, and consumers are constantly checking their phones for delivery updates on some item or another.
People impatiently waiting on a package are easy targets for smishing scammers. Their annoyance or excitement causes them to lower their guard and click on dangerous links. They hope to get an answer for slow delivery but invite malware onto their device instead.
It’s rare for companies to send SMS updates on in-progress packages. Buyers typically need to go online and input a unique tracking number or check the Amazon ‘orders and return’ page.
Concerned Friend or Relative
Phishing texts come in all shapes and sizes. Some are as simple as an unassuming message from your neighbor. If the scammer knows you own a cat, they may text you while you’re at work asking, “Is your cat missing?”
By responding, you’ve confirmed your phone number is in play, making you a target for future attacks.
Scammers also impersonate relatives or out-of-touch friends. They play on the target’s desire to reconnect with someone or on their family attachments. This approach works best on the elderly, who are sometimes lonely or starved for contact.
How to Protect Yourself from a Smishing Attack
Limiting the number of businesses that use your mobile number to send you text messages is one way to prevent some smishing attacks. If you have fewer messages in a day, you’re less likely to blindly respond to one that is an attack. It’s good practice to keep your cell phone number as private as possible because it’s one of many pieces of personally identifying data that may be sold on the dark web for account hacking and identity theft purposes.
Do NOT Respond
If you take anything from the list, it should be this. Never respond to unknown text messages. This is the most surefire way to keep malware off your phone and your number off the scammer’s potential target list.
Beware the “Bit.ly.” Text
SMS links are usually long and appear unprofessional. This makes them easy to identify as scams. Smishing gets around this weakness by disguising long, malicious links as a Bit.ly redirect.
Bit.ly doesn’t show the full address but shortens the URL to a version of “bit.ly/xxx.” This function was meant to make links more shareable between contacts, but it had the unintentional downside of helping cybercriminals trick their targets.
If you get a Bit.ly link in the future, copy the link into your browser’s address bar and add the “+” symbol to the end of it. Doing so will redirect you to a preview page of where the original link would have sent you.
Don’t Act Out of Fear
Do not respond quickly to messages that feel urgent. Phishing emails aim to make the recipient afraid or anxious over an artificial deadline. Legitimate businesses always give customers enough time to respond to warnings and updates. At the very least, you’ll have the time to contact the company directly.
Take a moment to investigate where it came from. If it still appears legitimate, close the message, and call the individual or business using their contact number or information found on an official website.
Look Up the Phone Number
Use a service or reverse phone number lookup tool that verifies phone numbers and train yourself to use it anytime an unrecognized message appears. There are many services available at varying price points. Notable choices include:
- TruthFinder
- PeopleFinders
- InfoTracer
- Spokeo
- US Search
- Been Verified
- SpyDialer
Additional Protection
Installing a VPN (a virtual private network) on your phone is another way to protect yourself. VPNs encrypt information and spoof your location, making it harder for scammers to capture and use accurate information from your device.
Updating your virus protection software and keeping your operating system updated are always essential. These steps should minimize data loss and perhaps block malware that may be launched on your phone through a smishing text.
Blocking unknown phone numbers or only accepting messages and calls from known contacts is a good practice if it’s possible. Some people who use their phones for business and personal purposes are not able to block unknown numbers because they depend on incoming calls and messages for work. Also, blocking phone numbers or smishing messages might not be effective. Because sophisticated scammers know how to spoof phone numbers, they can change the incoming number whenever necessary. Experts suggest deleting messages rather than responding in any way